公开(公告)号：US20160359924A1

公开(公告)日：2016-12-08

申请号：US15237505

申请日：2016-08-15

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  H04L9/32

CPC classification number: H04L63/205 ,  G06F21/60 ,  G06F21/602 ,  H04L9/3247 ,  H04L63/126 ,  H04L63/18 ,  H04L63/20 ,  H04L2463/062

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

Abstract translation: 第一个服务代表服务提供商的客户向第二个服务提交请求。 该请求可能是由客户对第一个服务的请求触发的。 为了处理请求，第二服务评估一个或多个策略以确定是否通过与客户相关联的策略来允许请求的履行。 一个或多个策略可以在提交请求时发挥作用的一个或多个服务上陈述一个或多个条件。 如果确定策略允许满足请求，则第二服务满足请求。

公开(公告)号：US09420007B1

公开(公告)日：2016-08-16

申请号：US14096783

申请日：2013-12-04

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: G06F21/00 ,  H04L29/06 ,  H04L9/32 ,  G06F21/60

CPC classification number: H04L63/205 ,  G06F21/60 ,  G06F21/602 ,  H04L9/3247 ,  H04L63/126 ,  H04L63/18 ,  H04L63/20 ,  H04L2463/062

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

Abstract translation: 第一个服务代表服务提供商的客户向第二个服务提交请求。 该请求可能是由客户对第一个服务的请求触发的。 为了处理请求，第二服务评估一个或多个策略以确定是否通过与客户相关联的策略来允许请求的履行。 一个或多个策略可以在提交请求时发挥作用的一个或多个服务上陈述一个或多个条件。 如果确定策略允许满足请求，则第二服务满足请求。

公开(公告)号：US20140229739A1

公开(公告)日：2014-08-14

申请号：US13765239

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F21/62

CPC classification number: G06F21/6218 ,  G06F2221/2137 ,  H04L9/088 ,  H04L63/0442 ,  H04L63/06

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

Abstract translation: 系统使用与请求相关联的信息来确定是否以及如何处理请求。 信息可以由请求者使用密钥电子签名，使得处理请求的系统可以验证请求者具有密钥并且信息是真实的。 信息可以包括识别处理请求所需的密钥的持有者的信息，其中密钥的持有者可以是系统或另一个，可能是第三方系统。 可以处理对数据解密的请求，以确保在访问解密数据之前经过一定量的时间，从而提供取消这种请求和/或以其他方式缓解潜在安全漏洞的机会。

公开(公告)号：US10673906B2

公开(公告)日：2020-06-02

申请号：US15900465

申请日：2018-02-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/33 ,  H04L9/32 ,  G06F21/60

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

公开(公告)号：US10666436B2

公开(公告)日：2020-05-26

申请号：US15376451

申请日：2016-12-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/06 ,  H04L9/14 ,  H04L9/30

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

公开(公告)号：US20200082110A1

公开(公告)日：2020-03-12

申请号：US16673753

申请日：2019-11-04

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F21/62

Abstract: Requests submitted to a computer system are evaluated for compliance with policy to ensure data security. Plaintext and associated data are used as inputs into a cipher to produce ciphertext. Whether a result of decrypting the ciphertext can be provided in response to a request is determined based at least in part on evaluation of a policy that itself is based at least in part on the associated data. Other policies include automatic rotation of keys to prevent keys from being used in enough operations to enable cryptographic attacks intended to determine the keys.

公开(公告)号：US10467422B1

公开(公告)日：2019-11-05

申请号：US13764944

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F11/30 ,  G06F21/62 ,  G06F12/14

Abstract: Requests submitted to a computer system are evaluated for compliance with policy to ensure data security. Plaintext and associated data are used as inputs into a cipher to produce ciphertext. Whether a result of decrypting the ciphertext can be provided in response to a request is determined based at least in part on evaluation of a policy that itself is based at least in part on the associated data. Other policies include automatic rotation of keys to prevent keys from being used in enough operations to enable cryptographic attacks intended to determine the keys.

公开(公告)号：US10211977B1

公开(公告)日：2019-02-19

申请号：US13765283

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/08

Abstract: A security module securely manages keys. The security module is usable to implement a cryptography service that includes a request processing component. The request processing component responds to requests by causing the security module to perform cryptographic operations that the request processing component cannot perform due to a lack of access to appropriate keys. The security module may be a member of a group of security modules that securely manage keys. Techniques for passing secret information from one security module to the other prevent unauthorized access to secret information.

公开(公告)号：US10090998B2

公开(公告)日：2018-10-02

申请号：US15179827

申请日：2016-06-10

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/14 ,  G06F21/62

Abstract: A request to perform one or more operations using a second key that is inaccessible to a customer of a computing resource service provider is received from the customer, with the request including information that enables the computing resource service provider to select the second key from other keys managed on behalf of customers of the computing resource service provider. A first key, and in addition to the first key, an encrypted first key, is provided to the customer. Data encrypted under the first key is received from the customer. The encrypted first key and the data encrypted under the first key is caused to be stored in persistent storage, such that accessing the data, in plaintext form, from the persistent storage requires use of both a third key and the second key that is inaccessible to the customer.

公开(公告)号：US10055594B2

公开(公告)日：2018-08-21

申请号：US15069851

申请日：2016-03-14

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: G06F21/60 ,  G06F21/62

CPC classification number: G06F21/602 ,  G06F21/6218 ,  G06F21/6254

Abstract: A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.